Pigeoncoin Hacked for $15,000: May be a Warning Sign for Other Bitcoin Forks

A minor altcoin called Pigeoncoin has suffered a small-scale attack resulting in the theft of 235 million PGN tokens, worth approximately $15,000. Some have mocked the attacker’s modest gains, with ZDNet wryly headlining the story “Hacker wastes entire day only to make $15,000.”

The attack is indeed unimpressive compared to other attacks that have netted millions of dollars. However, the attack devastated Pigeoncoin, as it depleted over a quarter of the altcoin’s total supply. Furthermore, the attack may not be the last of its kind.

The Bitcoin Bug

The attack on Pigeoncoin involved a 51% attack and a double-spend attack, in which the hacker essentially bought out the Pigeoncoin network, took control of it, and made off with the money.

In late September, Bitcoin developers discovered a critical bug (CVE-2018-17144) which allowed this type of attack. Bitcoin was patched before such an attack could occur. Unfortunately, Pigeoncoin was based on Bitcoin, and its developers did not patch the coin until it was too late.

The possibility of an attack on an altcoin was known from the start. As soon as the Bitcoin fix was published, some commentators began to warn that Bitcoin forks and clones could fall victim to attacks. As Emin Gün Sirer noted:

“Copycat currencies are at risk. By definition, there’s always a group upstream that knows their vulnerabilities.”

By publicly disclosing bugs, major cryptocurrencies can put derivative cryptocurrencies at risk. This is because public disclosure can give hackers a chance to exploit the bug before developers can fix it.

Altcoins At Risk

In his comment, Sirer was referring to Litecoin, a fork of Bitcoin which was not promptly notified of the bug. Litecoin nevertheless patched itself as soon as possible and avoided an attack.

Minor coins may not be so diligent: the most valuable coins are meticulous about security, but more insignificant Bitcoin forks may fail to keep up with security developments.

Similar “downstream effects” have occurred with other coins in the past. In 2017, a Monero bug that allowed unlimited coin minting was discovered, and Monero’s less valuable counterpart Bytecoin was quickly exploited.

Since the Bitcoin fix is just over two weeks old, Pigeoncoin could become the first in a series of similar hacks on minor altcoins. Although these may be individually insignificant, they could add up to a more severe problem.